2000 character limit reached
DTA: Distribution Transform-based Attack for Query-Limited Scenario (2312.07245v1)
Published 12 Dec 2023 in cs.CV
Abstract: In generating adversarial examples, the conventional black-box attack methods rely on sufficient feedback from the to-be-attacked models by repeatedly querying until the attack is successful, which usually results in thousands of trials during an attack. This may be unacceptable in real applications since Machine Learning as a Service Platform (MLaaS) usually only returns the final result (i.e., hard-label) to the client and a system equipped with certain defense mechanisms could easily detect malicious queries. By contrast, a feasible way is a hard-label attack that simulates an attacked action being permitted to conduct a limited number of queries. To implement this idea, in this paper, we bypass the dependency on the to-be-attacked model and benefit from the characteristics of the distributions of adversarial examples to reformulate the attack problem in a distribution transform manner and propose a distribution transform-based attack (DTA). DTA builds a statistical mapping from the benign example to its adversarial counterparts by tackling the conditional likelihood under the hard-label black-box settings. In this way, it is no longer necessary to query the target model frequently. A well-trained DTA model can directly and efficiently generate a batch of adversarial examples for a certain input, which can be used to attack un-seen models based on the assumed transferability. Furthermore, we surprisingly find that the well-trained DTA model is not sensitive to the semantic spaces of the training dataset, meaning that the model yields acceptable attack performance on other datasets. Extensive experiments validate the effectiveness of the proposed idea and the superiority of DTA over the state-of-the-art.
- Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015) Kurakin et al. [2017] Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: ICLR (2017) Dong et al. [2018] Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J.: Boosting adversarial attacks with momentum. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00957 Duan et al. [2020] Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: ICLR (2017) Dong et al. [2018] Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J.: Boosting adversarial attacks with momentum. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00957 Duan et al. [2020] Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J.: Boosting adversarial attacks with momentum. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00957 Duan et al. [2020] Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: ICLR (2017) Dong et al. [2018] Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J.: Boosting adversarial attacks with momentum. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00957 Duan et al. [2020] Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J.: Boosting adversarial attacks with momentum. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00957 Duan et al. [2020] Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., Li, J.: Boosting adversarial attacks with momentum. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00957 Duan et al. [2020] Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., Yang, Y.: Adversarial camouflage: Hiding physical-world attacks with natural styles. In: CVPR (2020). https://doi.org/10.1109/CVPR42600.2020.00108 Liu et al. [2022] Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Liu, P., Xu, X., Wang, W.: Threats, attacks and defenses to federated learning: issues, taxonomy and perspectives. Cybersecurity 5(1), 1–19 (2022) Liu et al. [2019] Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., Tao, D.: Perceptual-sensitive GAN for generating adversarial patches. In: AAAI (2019). https://doi.org/10.1609/aaai.v33i01.33011028 Eykholt et al. [2018] Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., Song, D.: Robust physical-world attacks on deep learning visual classification. In: CVPR (2018). https://doi.org/10.1109/CVPR.2018.00175 Akhtar et al. [2018] Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Akhtar, N., Liu, J., Mian, A.: Defense against universal adversarial perturbations. In: CVPR, pp. 3389–3398 (2018). https://doi.org/10.1109/CVPR.2018.00357 Wang et al. [2021] Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Wang, J., Chang, X., Wang, Y., Rodríguez, R.J., Zhang, J.: Lsgan-at: enhancing malware detector robustness against adversarial examples. Cybersecurity 4, 1–15 (2021) Madaan et al. [2020] Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Madaan, D., Shin, J., Hwang, S.J.: Adversarial neural pruning with latent vulnerability suppression. In: ICML, vol. 119, pp. 6575–6585 (2020) Zhang et al. [2020] Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Zhang, Y., Li, Y., Liu, T., Tian, X.: Dual-path distillation: A unified framework to improve black-box attacks. In: ICML, vol. 119, pp. 11163–11172 (2020) Guo et al. [2023] Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Guo, F., Sun, Z., Chen, Y., Ju, L.: Towards the universal defense for query-based audio adversarial attacks on speech recognition system. Cybersecurity 6(1), 1–18 (2023) Carlini and Wagner [2017] Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Carlini, N., Wagner, D.A.: Towards evaluating the robustness of neural networks. In: S&P (2017). https://doi.org/10.1109/SP.2017.49 Sun et al. [2018] Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Sun, L., Tan, M., Zhou, Z.: A survey of practical adversarial example attacks. Cybersecurity 1, 1–9 (2018) Mirsky [2023] Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Mirsky, Y.: Ipatch: a remote adversarial patch. Cybersecurity 6(1), 18 (2023) Guo et al. [2019] Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Guo, C., Gardner, J.R., You, Y., Wilson, A.G., Weinberger, K.Q.: Simple black-box adversarial attacks. In: ICML, vol. 97, pp. 2484–2493 (2019) Tu et al. [2019] Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Tu, C., Ting, P., Chen, P., Liu, S., Zhang, H., Yi, J., Hsieh, C., Cheng, S.: Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In: AAAI, pp. 742–749 (2019). https://doi.org/10.1609/aaai.v33i01.3301742 Wu et al. [2020] Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Wu, H., Liu, A.T., Lee, H.: Defense for black-box attacks on anti-spoofing models by self-supervised learning. In: INTERSPEECH, pp. 3780–3784 (2020). https://doi.org/10.21437/Interspeech.2020-2026 Ding and Xu [2020] Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Ding, J., Xu, Z.: Adversarial attacks on deep learning models of computer vision: A survey. In: ICA3PP, vol. 12454, pp. 396–408 (2020). https://doi.org/10.1007/978-3-030-60248-2_27 Chakraborty et al. [2018] Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: A survey. CoRR abs/1810.00069 (2018) Tramèr et al. [2018] Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I.J., Boneh, D., McDaniel, P.D.: Ensemble adversarial training: Attacks and defenses. In: ICLR (2018) Guo et al. [2018] Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Guo, C., Rana, M., Cissé, M., Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018) Chen et al. [2017] Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Chen, P., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM AISec@CCS, pp. 15–26 (2017). https://doi.org/10.1145/3128572.3140448 Ilyas et al. [2018] Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, vol. 80, pp. 2142–2151 (2018) Li et al. [2019] Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Li, Y., Li, L., Wang, L., Zhang, T., Gong, B.: NATTACK: learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In: ICML, vol. 97, pp. 3866–3876 (2019) Ilyas et al. [2019] Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: Black-box adversarial attacks with bandits and priors. In: ICLR (2019) Baluja and Fischer [2018] Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Baluja, S., Fischer, I.: Learning to attack: Adversarial transformation networks. In: AAAI, pp. 2687–2695 (2018) Wang and Yu [2019] Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Wang, H., Yu, C.: A direct approach to robust deep learning using adversarial networks. In: ICLR (2019) Huang and Zhang [2020] Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Huang, Z., Zhang, T.: Black-box adversarial attack with transferable model-based embedding. In: ICLR (2020) Xiao et al. [2018] Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Xiao, C., Li, B., Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905–3911 (2018). https://doi.org/10.24963/ijcai.2018/543 Dolatabadi et al. [2020] Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Dolatabadi, H.M., Erfani, S.M., Leckie, C.: Advflow: Inconspicuous black-box adversarial attacks using normalizing flows. In: NeurIPS (2020) Feng et al. [2022] Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Feng, Y., Wu, B., Fan, Y., Liu, L., Li, Z., Xia, S.: Boosting black-box attack with partially transferred conditional adversarial distribution. In: CVPR, pp. 15074–15083 (2022). https://doi.org/10.1109/CVPR52688.2022.01467 Lu and Huang [2020] Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Lu, Y., Huang, B.: Structured output learning with conditional generative flows. In: AAAI, pp. 5005–5012 (2020) Dinh et al. [2015] Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Dinh, L., Krueger, D., Bengio, Y.: NICE: non-linear independent components estimation. In: ICLR (2015) Kingma and Dhariwal [2018] Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Kingma, D.P., Dhariwal, P.: Glow: Generative flow with invertible 1x1 convolutions. In: NeurIPS, pp. 10236–10245 (2018) Sohn et al. [2015] Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Sohn, K., Lee, H., Yan, X.: Learning structured output representation using deep conditional generative models. In: NeurIPS, pp. 3483–3491 (2015) Mirza and Osindero [2014] Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Mirza, M., Osindero, S.: Conditional generative adversarial nets. CoRR abs/1411.1784 (2014) Pumarola et al. [2020] Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Pumarola, A., Popov, S., Moreno-Noguer, F., Ferrari, V.: C-flow: Conditional generative flow models for images and 3d point clouds. In: CVPR, pp. 7946–7955 (2020). https://doi.org/10.1109/CVPR42600.2020.00797 Liu et al. [2019] Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Liu, R., Liu, Y., Gong, X., Wang, X., Li, H.: Conditional adversarial generative flow for controllable image synthesis. In: CVPR, pp. 7992–8001 (2019). https://doi.org/10.1109/CVPR.2019.00818 Ardizzone et al. [2019] Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Ardizzone, L., Lüth, C., Kruse, J., Rother, C., Köthe, U.: Guided image generation with conditional invertible neural networks. CoRR abs/1907.02392 (2019) Krizhevsky et al. [2009] Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases 1(4) (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.: Reading digits in natural images with unsupervised feature learning. In: NIPS Workshop on Deep Learning and Unsupervised Feature Learning (2011) Russakovsky et al. [2015] Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M.S., Berg, A.C., Li, F.: Imagenet large scale visual recognition challenge. International Journal of Computer Vision 115(3), 211–252 (2015) https://doi.org/10.1007/s11263-015-0816-y He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016). https://doi.org/10.1109/CVPR.2016.90 Szegedy et al. [2016] Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Szegedy, C., Vanhoucke, V., Ioffe, S., Shlens, J., Wojna, Z.: Rethinking the inception architecture for computer vision. In: CVPR, pp. 2818–2826 (2016). https://doi.org/10.1109/CVPR.2016.308 Hu et al. [2018] Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Hu, J., Shen, L., Sun, G.: Squeeze-and-excitation networks. In: CVPR, pp. 7132–7141 (2018). https://doi.org/10.1109/CVPR.2018.00745 Szegedy et al. [2017] Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Szegedy, C., Ioffe, S., Vanhoucke, V., Alemi, A.A.: Inception-v4, inception-resnet and the impact of residual connections on learning. In: AAAI, pp. 4278–4284 (2017) He et al. [2016] He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- He, K., Zhang, X., Ren, S., Sun, J.: Identity mappings in deep residual networks. In: ECCV, vol. 9908, pp. 630–645 (2016) Madry et al. [2018] Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018) Krizhevsky and Hinton [2009] Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Computer Science Department, University of Toronto, Tech. Rep 1 (2009) Netzer et al. [2011] Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011) Simonyan and Zisserman [2015] Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015) Sandler et al. [2018] Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Sandler, M., Howard, A.G., Zhu, M., Zhmoginov, A., Chen, L.: Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. CoRR abs/1801.04381 (2018) Ma et al. [2018] Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Ma, N., Zhang, X., Zheng, H., Sun, J.: Shufflenet V2: practical guidelines for efficient CNN architecture design. In: ECCV, vol. 11218, pp. 122–138 (2018). https://doi.org/10.1007/978-3-030-01264-9_8 Cheng et al. [2020] Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Cheng, M., Singh, S., Chen, P.H., Chen, P., Liu, S., Hsieh, C.: Sign-opt: A query-efficient hard-label adversarial attack. In: ICLR (2020) Chen and Gu [2020] Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Chen, J., Gu, Q.: Rays: A ray searching method for hard-label adversarial attack. In: KDD, pp. 1739–1747 (2020). https://doi.org/10.1145/3394486.3403225 Ma et al. [2021] Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Ma, C., Guo, X., Chen, L., Yong, J., Wang, Y.: Finding optimal tangent points for reducing distortions of hard-label attacks. In: NeurIPS, pp. 19288–19300 (2021) Wang et al. [2022] Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Wang, X., Zhang, Z., Tong, K., Gong, D., He, K., Li, Z., Liu, W.: Triangle attack: A query-efficient decision-based adversarial attack. In: ECCV, vol. 13665, pp. 156–174 (2022). https://doi.org/10.1007/978-3-031-20065-6_10 Reza et al. [2023] Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Reza, M.F., Rahmati, A., Wu, T., Dai, H.: Cgba: Curvature-aware geometric black-box attack. In: ICCV, pp. 124–133 (2023) Dong et al. [2022] Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Dong, Y., Cheng, S., Pang, T., Su, H., Zhu, J.: Query-efficient black-box adversarial attacks guided by a transfer-based prior. IEEE Transactions on Pattern Analysis and Machine Intelligence. 44(12), 9536–9548 (2022) https://doi.org/10.1109/TPAMI.2021.3126733 Ling et al. [2019] Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Ling, X., Ji, S., Zou, J., Wang, J., Wu, C., Li, B., Wang, T.: DEEPSEC: A uniform platform for security analysis of deep learning model. In: S&P, pp. 673–690 (2019). https://doi.org/10.1109/SP.2019.00023 Zhao et al. [2020] Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Zhao, P., Chen, P., Wang, S., Lin, X.: Towards query-efficient black-box adversary with zeroth-order natural gradient descent. In: AAAI, pp. 6909–6916 (2020) Huang et al. [2017] Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Huang, G., Liu, Z., Maaten, L., Weinberger, K.Q.: Densely connected convolutional networks. In: CVPR, pp. 2261–2269 (2017). https://doi.org/10.1109/CVPR.2017.243 Szegedy et al. [2015] Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S.E., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A.: Going deeper with convolutions. In: CVPR, pp. 1–9 (2015). https://doi.org/10.1109/CVPR.2015.7298594 Everingham et al. [2010] Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Everingham, M., Van Gool, L., Williams, C.K.I., Winn, J., Zisserman, A.: The pascal visual object classes (voc) challenge. International Journal of Computer Vision 88(2), 303–338 (2010) Zhou et al. [2017] Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Zhou, B., Lapedriza, A., Khosla, A., Oliva, A., Torralba, A.: Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence (2017) Fei-Fei et al. [2004] Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Fei-Fei, L., Fergus, R., Perona, P.: Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In: CVPR, p. 178 (2004). https://doi.org/10.1109/CVPR.2004.383 Zagoruyko and Komodakis [2016] Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016) Matachana et al. [2020] Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Matachana, A.G., Co, K.T., Muñoz-González, L., Martínez-Rego, D., Lupu, E.C.: Robustness and transferability of universal attacks on compressed models. CoRR abs/2012.06024 (2020) Dosovitskiy et al. [2021] Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., Uszkoreit, J., Houlsby, N.: An image is worth 16x16 words: Transformers for image recognition at scale. In: ICLR (2021) Liu et al. [2021] Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Liu, Z., Lin, Y., Cao, Y., Hu, H., Wei, Y., Zhang, Z., Lin, S., Guo, B.: Swin transformer: Hierarchical vision transformer using shifted windows. In: ICCV, pp. 9992–10002 (2021) Poursaeed et al. [2018] Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018) Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)
- Poursaeed, O., Katsman, I., Gao, B., Belongie, S.J.: Generative adversarial perturbations. In: CVPR, pp. 4422–4431 (2018)